Shop Talk: Laying the Foundation of Good Compliance and Governance.

Every company is unique, and its compliance program must be too if it has any chance of working well, but there are still some common aspects that most high-functioning compliance and governance programs share.

Compliance and governance can’t just be wedged into existing functions and reporting lines; integration must be carefully engineered so it effectively meshes with business lines and a wide variety of departments, from internal audit to HR, IT, and finance. At the same time, compliance must have the independence it needs to surface concerns, play a lead role in investigations, and influence culture.

Those dual interests were an underlying theme at the latest Compliance Week executive roundtable, co-hosted with The Boeing Co. in Dallas earlier this month. Compliance executives from a wide range of industries and companies, including Boeing, GE Capital, AT&T, Dr Pepper Snapple, and American Airlines, shared strategies on structuring and organizing the compliance function. They all weighed in on what compliance and governance means to their organizations and how it flows through to various reporting lines.

ROUNDTABLE PARTICIPANTS

The following panelists participated in the Nov. 6 Compliance Week & Boeing roundtable on structuring compliance and ethics. Click on participants’ names to see their full bios.

“We all struggle with and debate over where should all these different functions sit—compliance, enterprise risk management, audit, enterprise information governance, and corporate governance,” said Judy Carter, vice president for compliance and audit for BNSF Railway. “There are so many common goals that run through each of these functions. The objective is to structure your organization so you can effectively leverage all of these efforts.

Roundtable participants agreed that compliance officers tend to wear several hats, and that it’s not always easy to move among the many different necessary roles. Staying on top of everything can be a challenge and as businesses grow or evolve, complications are even more pronounced.

Eric Hinton, senior director of ethics and compliance for 7-Eleven, said his goal is to bring order to “pieces of compliance that live in a lot of different places.” “We can improve that by consolidating and rationalizing it and making it more coherent across the enterprise,” he said.

Within the corporation, effective interaction with other areas is a concern that Doug Cotton, managing director of American Airlines’ business ethics and compliance program had in common with other roundtable participants. Compliance oversight raises a thorny issue: “How far do we push without having them think we are trying to take over.”

Buy-in from executive leadership alone doesn’t necessarily make that effort any easier. “We get really good tone from the top and have really good policies. The struggle is making sure everybody understands those policies,” Eric Bowman, chief compliance officer for Darling International, said.

Diana Sands, senior vice president for the Office of Internal Governance at Boeing, described compliance at the aerospace giant as a journey. What originated as a response and enforcement function now has a “vision around enabling company performance.” The important question: “Can we gain a competitive advantage if we do it more effectively and efficiently?”

In her role, Sands oversees Boeing’s compliance and ethics program. She is responsible for ethics, trade controls, compliance risk management, and for the team of professionals who comprise internal audit. “In the beginning, it was all about setting up the appropriate structure and rules,” she said. “What we have evolved to is being an integrated business partner, a function that provides centralized and focused expertise in the field and is also integrated with the businesses.” By bringing multiple interests to the same table, the goal is to foster a seamless sharing of information among stakeholders, she said.

Talking the Walk

While proper care and feeding is necessary to get company leadership to work toward the same goal as the compliance team, tone at the middle may require just as much finesse. “The bigger challenge is in the middle,” one participant said. The diplomatic task at hand is to not have them thinking that compliance “is questioning their own judgment, ethics, or professionalism." "You are not really trying to do that, but there is that perception,” he added.

“If everybody is looking through the same risk lens, you begin to prioritize and determine what level of resources you need to apply to approach that risk.”

Expectations must be reasonable. “You have to also exercise good judgment,” one participant said of compliance oversight and risk prioritization. “You can’t turn over every pebble on the beach or chase every rabbit.” Success depends upon having credibility throughout the business units and displaying a “willingness to hear what their key risks are, rather than just assuming on your own.”

Improving the perception of compliance—avoiding the view that its role is to be a police officer for the organization or, that old cliché, it is the “Department of No,”—was presented as an ongoing battle. What is the best way to create an alternate perception, as a partner and facilitator for the business?

“We have to really know the business and help the business units understand the compliance risks; that is where we can help,” Sands said of intra-company outreach.

“Every dollar spent on remediation is a dollar the business can’t spend on innovation,” agreed William Gordon, associate general counsel for Hercules Offshore. “At the same time, a strong compliance program can improve the quality of the business and deliver a sustained return on investment.”

Unifying Factors

Another important aspect of effective compliance and governance functions is that they work well with related functions, such as legal, audit, and HR. It is important to understand how various functions operate within their own sphere of influence. “There are just a lot of differences in terms of approach,” one participant said. “Auditors and accountants are going to want to follow the book and follow COSO to a “T.” Lawyers are more procedurally oriented.”

“No matter what, compliance organizations need to work closely with their functional partners,“ Sands said. “In-house counsel, HR, finance and other subject matter experts are important team players. In all my groups there are lawyers and other functions tied in,” she explained. “To be effective, it’s important to be cross-functionally integrated and well-embedded in the business processes.”

The unifying factor, what all ultimately puts them on the same team, is risk. “One of the synergies taking place in the governance space is the ability for compliance, legal and internal audit to approach challenges from a consistent risk perspective,” says Steve Koslow, chief ethics and compliance officer for CUNA Mutual Fund Group. “With greater communication and a common framework for risk analysis these areas can better coordinate the services they provide. If everybody is looking through the same risk lens, risk prioritization becomes an effective means for allocating limited business area resources.”

“We have a quarterly compliance meeting where we bring lots of people together who don’t report up to the CCO,” Cotton said. “You have HR there and audit, safety, security, customs, and environmental. We get all sorts of people together who don’t normally talk so they can share ideas.”

“I often find I’m called upon to be the one putting focus to all those lenses,” Bowman said of his role. “I can speak legal, I can speak accounting, and I can speak HR.”

Optics Matter

A world-class compliance function doesn’t only just function well, it also can demonstrate that effectiveness. Faced with an investigation or government inquiry, a company cannot just describe its compliance efforts, it must document them. That proof of concept is an effort that extends companywide. “We may be doing everything right, but we need to demonstrate that we are doing everything right,” it was observed.

Ultimately, no matter the structure or who reports where, “The end game for compliance and auditing is exactly the same,” Carter said. “Each function may get there very differently, but they have the same ultimate goal. Risk is never completely eliminated from any business model, but both functions work to reduce risk as much as possible and minimize potential exposure.”